Description
Cross-Site Request Forgery (CSRF) vulnerability in yonisink Custom Post Type Images custom-post-types-image allows Code Injection.This issue affects Custom Post Type Images: from n/a through <= 0.5.
Published: 2025-09-22
Score: 9.6 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a CSRF flaw in the yonisink Custom Post Type Images WordPress plugin that allows an attacker to inject arbitrary code into the site. Because the plugin accepts form data without validating a CSRF token, a forged request can execute custom code that the attacker supplies, potentially giving them control over the site's files and functionality.

Affected Systems

The issue affects all WordPress installations that use yonisink Custom Post Type Images plugin version 0.5 or earlier. Any site hosting this plugin before the vulnerability is fixed is at risk.

Risk and Exploitability

This flaw has a CVSS score of 9.6, indicating a high severity level. The EPSS score is less than 1%, suggesting a low current exploitation probability, and it is not listed in the CISA KEV catalog. Based on the description, it is inferred that the likely attack vector is a forged HTTP request that a victim can trigger by visiting a malicious link or loading a page containing malicious code. The lack of CSRF protection allows attackers to submit code that the site will execute, potentially compromising site integrity and confidentiality.

Generated by OpenCVE AI on April 30, 2026 at 01:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the yonisink Custom Post Type Images plugin to a patched version or uninstall it if no update is available.
  • If an update cannot be applied immediately, limit access to the plugin’s administration pages using a firewall or IP restrictions to reduce exposure.
  • Apply a web application firewall rule to block crafted CSRF requests targeting the plugin endpoint and monitor logs for suspicious activity.
  • Enable WordPress’s nonce mechanism for all form submissions within the plugin to add an additional layer of CSRF protection (CWE‑352 mitigation).

Generated by OpenCVE AI on April 30, 2026 at 01:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-30594 Cross-Site Request Forgery (CSRF) vulnerability in yonisink Custom Post Type Images allows Code Injection. This issue affects Custom Post Type Images: from n/a through 0.5.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in yonisink Custom Post Type Images allows Code Injection. This issue affects Custom Post Type Images: from n/a through 0.5. Cross-Site Request Forgery (CSRF) vulnerability in yonisink Custom Post Type Images custom-post-types-image allows Code Injection.This issue affects Custom Post Type Images: from n/a through <= 0.5.
References
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Tue, 23 Sep 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 23 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Mon, 22 Sep 2025 18:30:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in yonisink Custom Post Type Images allows Code Injection. This issue affects Custom Post Type Images: from n/a through 0.5.
Title WordPress Custom Post Type Images Plugin <= 0.5 - Cross Site Request Forgery (CSRF) Vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-12T00:56:32.919Z

Reserved: 2025-08-27T16:19:53.146Z

Link: CVE-2025-58255

cve-icon Vulnrichment

Updated: 2025-09-23T15:58:58.130Z

cve-icon NVD

Status : Deferred

Published: 2025-09-22T19:16:11.530

Modified: 2026-04-23T15:33:23.603

Link: CVE-2025-58255

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T01:45:06Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)